SecurityTokenExpiredException reported in Azure #10625

shedspotter created 3 months ago

Hi,

product version = 9.0.1 product type = Angular product framework type = .net core 3.1

SecurityTokenExpiredException reported in Azure

Reviewing SQL activity, the DTU utilization is low

Reviewing application insights in Azure for the web app there are frequent exceptions raised around SecurityTokenExpiredException.

Digging into the transaction detail for one example, a 12.7 delay was caused by this exception consuming /api/TokenAuth/Authenticate

Simply refreshing the login page is one example where the exception is raised. timings can vary.

Logs: Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: at Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime (Microsoft.IdentityModel.Tokens, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateLifetime (System.IdentityModel.Tokens.Jwt, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload (System.IdentityModel.Tokens.Jwt, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken (System.IdentityModel.Tokens.Jwt, Version=5.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35) at SSD.Web.Authentication.JwtBearer.SSDJwtSecurityTokenHandler.ValidateToken (SSD.Web.Core, Version=9.0.1.0, Culture=neutral, PublicKeyToken=null: D:\a\1\s\SSD\aspnet-core\src\SSD.Web.Core\Authentication\JwtBearer\SSDJwtSecurityTokenHandler.cs:42) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler+<HandleAuthenticateAsync>d__6.MoveNext (Microsoft.AspNetCore.Authentication.JwtBearer, Version=3.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)

Thanks

14 Answer(s)

0
musa.demir created 3 months ago
Support Team
Hi @shedspotter

That error is thrown by System.IdentityModel.Tokens.Jwt.ValidateToken method, (see:https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.validatetoken?view=azure-dotnet). Refreshing your browser should not cause the error. Can you please check these:

Check if your token lifetime is long enough.(https://github.com/aspnetzero/aspnet-zero-core/blob/2269967cc03e5c460e2d6c0833cb97feaa5d1fad/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Application.Shared/AppConsts.cs#L49)

Check if your current token is really expired? (you can use https://jwt.io/)

Check if your current token exists, if it exists store it. Then refresh your browser and check if they are equal.
0

shedspotter created 3 months ago

Hi musa.demir,

Thank you for the response

step 1. it is same like shared link. step 2. the current token is not expired. step 3. after following the 3rd step the previous token and the new token after refreshing the browser has same expiration time

Thanks
0

musa.demir created 3 months ago
Support Team

Hi @shedspotter

Can you please share your token's exp field and the exact time you get the error(with timezone)? It might has timezone problem.
0

shedspotter created 3 months ago

Hi @musa.demir

Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6Ijk0IiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvbmFtZSI6ImNzaGFoIiwiQXNwTmV0LklkZW50aXR5LlNlY3VyaXR5U3RhbXAiOiJXR0wyWEg1RFg1Sk9aWEFMU0FUM1Y0V1BUUURDSVJKRSIsImh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvcm9sZSI6IkFkbWluIiwiaHR0cDovL3d3dy5hc3BuZXRib2lsZXJwbGF0ZS5jb20vaWRlbnRpdHkvY2xhaW1zL3RlbmFudElkIjoiMTAyIiwiaHR0cDovL3d3dy5hc3BuZXRib2lsZXJwbGF0ZS5jb20vaWRlbnRpdHkvY2xhaW1zL2ltcGVyc29uYXRvclVzZXJJZCI6IjEiLCJzdWIiOiI5NCIsImp0aSI6ImM1OTRmZDA1LWYyMTUtNDhhYy05ODYyLWVkZWE2ZjFlMzdjMSIsImlhdCI6MTYzNTMxMDkzNiwidG9rZW5fdmFsaWRpdHlfa2V5IjoiZmNjY2ZhNDktNWRjMi00ODYwLWE0OGQtMDdkY2I3YjUzNDBiIiwidXNlcl9pZGVudGlmaWVyIjoiOTRAMTAyIiwidG9rZW5fdHlwZSI6IjAiLCJuYmYiOjE2MzUzMTA5MzYsImV4cCI6MTYzNTM5NzMzNiwiaXNzIjoiU1NEIiwiYXVkIjoiU1NEIn0.M4VujdjiMq4QBVJ3EU2e_FtVdPwQNm1-ncqhdiRJcBc
0

ismcagdas created 3 months ago
Support Team

Hi @shedspotter

Did you get the same error with this token ? If so, could you share the exact time you get the error(with timezone)?

Thanks,
0

shedspotter created 2 months ago

Hi **@ismcagdas **

TimeZone : UTC and I am not sure what is the actual exception token and it's very hard to replicate accordingly here is exception details

Thanks
0

ismcagdas created 2 months ago
Support Team

Hi @shedspotter

Can you reproduce the problem ? If so, could you share your website URL and a test user account credentials with info@aspnetzero.com ? If we can reproduce the problem, we can understand the real cause.
0
ricavir created 2 months ago
Hi,

I'm also getting a lot of SecurityTokenExpiredException exceptions.

We are having these exeptions with all tenants in the same timezone.

These exceptions are happening mainly with following endpoints :

POST /api/TokenAuth/Authenticate

POST /signalr/negociate

SecurityTokenExpiredException is sometimes followed by SecurityTokenInvalidSignatureException.

Our app is having performance issues and we are tracking these exceptions on AppInsights.

I don't know how to reproduce this and help you guys to find the issue...

Please, tell me how can I help finding this issue ?
0

ismcagdas created 2 months ago
Support Team

Hi @ricavir

Could you add a log to TokenAuth/Authenticate method to log the token and DateTime.UtcNow ? Then, share it with us for a request with this error ?

Could oyu also share which version of AspNet Zero do you use ?
0

ricavir created 2 months ago

Hi @ismcagdas,

I'm using Abp 6.4. I can add a log as you requested and come back to you after.

While analysing this issue on my code, I found that CreateJwtClaims method uses CacheManager... And I just figured out that I'm having issues with CacheManager when my Azure AppService is running on multiple instance. For example, when running with 2 instances, I'm not able to switch user to different tenant accounts (like this https://support.aspnetzero.com/QA/Questions/9502/Switching-tenant-fails-in-mutiple-docker-container-instances-setup)

Therefore, I'm wondering if all these issue are coming from cache management ? (Should I use Redis ?) What do you think ?
0

ricavir created 2 months ago

Hi @ismcagdas,

Any news about my previous question for CacheManager ?
0

ismcagdas created 2 months ago
Support Team

Hi @ricavir

Sorry, I just saw your question. If you are using more than one instance of your app, it is suggested to use Redis or a similar central cache system. Otherwise, each instance will keep its own memyr cache and there will be problems.
0

ricavir created 2 months ago

Hi @ismcagdas,

Tks for your answer, I will implement redis then.
0

ismcagdas created one month ago
Support Team

Thanks @ricavir

@shedspotter did you make any progress on this ?

Have an answer to this question? Log in and write your answer.